How to roll your own VPN on Windows

A virtual private network (VPN) service is a good way to secure your web traffic and keep it private from snoops like a nosy internet service provider or passive government surveillance. One problem with VPN services, however, is that you have to implicitly trust that your VPN provider isn’t doing something shady such as monitoring the sites you visit.

That’s why for the extra privacy-conscious a third-party VPN won’t do. The alternative then is to create your own VPN on a private virtual server that you control using a project such as Algo from security firm Trail of Bits.

The basic idea is that if you control your own VPN then there’s less chance of shenanigans. You do have to trust the people making the software you use; however, I’d argue there’s less incentive for those people to sneak monitoring tools onto your server compared to a VPN provider. That’s not to say that all VPN service providers are out to get your data, but the potential is always there.

As for Algo—the project we’re using for this tutorial—all of its code is on GitHub for anyone who wants to take a deeper look—though admittedly that requires technical knowledge. When you’re done you’ll have a VPN service using the IKEv2 protocol that you control.

The downside of running your own VPN service is that some features of regular VPNs won’t be open to you, such as getting around Netflix’s VPN ban.

Another issue is that you can’t expect to have a high level of anonymity online when you run a VPN on your own server. Online privacy yes, but anonymity, not really. That server and its IP address will be tied to your real identity, and finding out who you are would be relatively easy for any authority looking for you. So don’t run your own VPN using this tutorial if you need to hide from a government or you’re up to something illegal such as piracy.

Only use Algo as a means to keep your web traffic private from snoops, because that’s all it can really do.

What is Algo?

Trail of Bits

Security firm Trail of Bits created Algo.

Algo is a set of command-line scripts that automate setting up a VPN server. It integrates with well-known virtual server providers such as Amazon EC2 or DigitalOcean. For this tutorial we’ll be using DigitalOcean, because it’s very user friendly and costs $5 a month. At $60 per year that’s about what you’d spend on a commercial VPN service.

Algo pre-requisites

To use Algo we’re going to need a few things. For starters, you need Bash for Ubuntu on Windows running on your Windows 10 machine. We don’t have time to get into how to do that here, but we have a tutorial on how to set up Bash on Windows that walks you through the process.

If you’re using Windows 7, then your best bet is to use Cygwin, a version of Bash that runs on Windows. Cygwin can be a little confusing to get your head around when it comes to installing its various component parts. For that reason, using Windows 10 is preferable.

Once Bash is up and running it’s time to dive in. Do not fear if you’ve never used a command line. I’ll walk you through each step of the process, show you what to type, and what it all means at each step. It may seem like a lot, but it’s really not. An experienced user can be up and running with an Algo-assembled server in less than 20 minutes, and most of that time is spent waiting on Algo to finish its automated process.

IDG

Download Algo to your computer using the program “wget.”

Install Algo and other tools

First, let’s download Algo and get ready to use it. Type the following into your bash terminal: wget https://github.com/trailofbits/algo/archive/master.zip.

Wget is a program used to download files from the internet, and the URL is the address for the ZIP file containing the Algo files.

Now, we have to unzip Algo. To do that type unzip master.zip

When that’s done type ls, which lists all the directories (folders) and files in your command line’s home directory. There should be one named algo-master. To move into that directory type cd algo-master, which means “change directory to algo-master.”

Before we can use Algo we need to install several command-line tools while in this folder. Algo’s GitHub page advises installing these all in one go, but we’re going to do it one by one.

To start, enter the following command: sudo apt-get update && sudo apt-get install. Sudo invokes administrator privileges and is a common first command when working on a Linux command line. Apt-get is the program that installs packages (programs) in your command-line environment. The && symbols tells Bash to carry out the command after the symbols if the command before them completed successfully.

The update command refreshes the list of packages available for your command-line environment and marks which ones are out of date. Then the install command actually puts the new software on your machine.

Python Software Foundation

Algo requires you to install some Python tools via the command line.

Next, we’re going to install a bunch of Python tools. Python is a popular scripting language that many developers use. Type each line into your command line, hit Enter, and then when it finishes running, type the next one.

sudo apt-get install build-essential -y

sudo apt-get install libssl-dev -y

sudo apt-get install libffi-dev -y

sudo apt-get install python-dev -y

sudo apt-get install python-pip -y

sudo apt-get install python-setuptools -y

sudo apt-get install python-virtualenv -y

Doing it this way is very pedantic, but it’s ultimately simpler for troubleshooting if anything goes wrong. The one item that’s most useful for regular users to know about is python-pip. Pip is a special tool that lets you easily install Python packages on your machine. It’s kind of like apt-get for Python. If you ever decide to dabble in Python or command-line tools written in Python then Pip will become a familiar tool.

The -y at the end of each line stands for “yes,” and including it means you don’t have to type it each time the computer asks if you really want to install the software.

After you’ve done all that work, we have to install a few more extras that Algo needs. Type or paste the following into the command line:

Once you’ve signed up you’ll need to generate an API key so that Algo can take care of setting up the server—or “droplet,” in DigitalOcean’s terminology. The API key is just a long string of letters and numbers that lets Algo log in as you, and make changes to your account.

In the pop-up window give your token a name; make sure Read and Write are checked under Select scopes and then click Generate token. Copy the string that appears and save it somewhere for later. Once you leave this page the key will disappear, and you won’t be able to copy it again.

IDG

Run Algo

Now it’s back to the command line to get Algo to do its thing. Well, almost. There’s one last configuration detail to take care of. Type nano config.cfg into the command line. This opens Algo’s primary configuration file in a very easy-to-use text editor called Nano. To use Nano navigate the file with your arrow keys, and use the keyboard to type as you normally would.

IDG

Add the names of your VPN’s users here. You can pick any name you want.

Under “users:” erase the names you see there and list the names of the people who will be using your VPN, with a dash before each name; also make sure each name is on its own line. My configuration file is seen above as an example. To exit, press Ctrl + O to save your changes and then Ctrl + X to exit.

Finally, we’ve arrived at the big moment. Time to configure your server. Make sure you are still in the algo-master folder—you should be. If not, type cd algo-master again.

IDG

Now we begin the Algo setup process.

Now type ./algo to run the Algo setup process. The period and slash before the name tells the computer to run a script in Bash.

From here on in we’re going to be asked a bunch of questions by Algo. The first one asks which server provider you’re using, along with a list of options. We want DigitalOcean, which at this writing was first on the list, so type 1 and hit Enter.

Now you’ll be asked for your DigitalOcean API token, which you saved previously. Paste that into the terminal by right-clicking where the cursor is. For security reasons you won’t see the API key being pasted in—you’ll just have to trust that it worked. Hit Enter again.

Next you have to name the VPN server. Call it whatever you like, but for this example we’ll call it “TestAlgo” and hit Enter.

IDG

Choose your data center location where your VPN will be housed.

Next we have to choose our server location. Choose the location closest to you, or in another country if you like. Just keep in mind that the farther away you are from your VPN server the slower your VPN connection will be. For this example, we’ll choose one of the New York servers and hit Enter.

Now we get into three macOS/iOS-specific questions. I’d advise answering yes to the first two questions to keep your options open, unless you don’t own any Apple devices.

Next, name any trusted Wi-Fi networks your Apple devices will be using that won’t require a VPN connection. Place a comma between each network, but don’t put a space between the items. If you don’t have any networks to name here just press Enter.

If you want to block ads while using the VPN—that’s a good idea to cut down on online tracking—then type y and hit Enter. Also type y for the next two questions, for security reasons, allowing each user to have their own SSH tunnel and to apply security enhancements to the server.

IDG

There are a lot of questions, and most of the time the answer is “y” for “yes.”

Now it asks you if you want to support Windows 10 or Linux PCs, which you do. Then it asks if you want to retain the certificate authority key. If you want to add users in the future type y. You’ll receive this key in the final stage.

That’s it. If everything goes well you’ll be up and running with a VPN server in less than 15 minutes. If it doesn’t work, try again with a different server location. I found that Algo sometimes has a problem with certain DigitalOcean data centers.

IDG

Algo’s success message.

Once Algo is finished you’ll see a success message like the one pictured above. Make sure you copy the p12 and SSH Key password, the CA key password if you opted to keep it, and the shell access information. Save this information in a password manager or somewhere else that’s secure.

Set up your PC

The hard part is over. But we still have one last command-line task in order to set up your PC’s new VPN connection. When you connect you won’t be using a desktop program but Windows’ built-in VPN client. The good news is we only have to copy two files and give PowerShell a one-line command.

To copy the files make sure you are in your Algo folder. If not, enter the following command:

cd algo-master/configs/

otherwise type:

cd configs

Now type ls to see the files listed there. You should see one folder name that uses an IP address in a format such as XX.XXX.XXX.XX or XXX.XXX.XX.XXX or something similar. We need to enter that folder. In my case the IP address was 104.131.36.207 so I’d type in cd 104.131.36.207. In your case, type “cd” but use the IP address that you see.

Now, let’s copy the files from your Bash home folder to the root of your Windows user folder. To do this you’ll need to remember the user name you entered in the config file earlier. In my case it’s “Ian” so the files that I need to copy are named “windows_Ian.ps1” and “Ian.p12”. To copy them I’d enter the following command:

cp windows_Ian.ps1 Ian.p12 /mnt/c/Users/[your Windows username]/

Okay, so what’s going on here? First, the cp bit means “copy,” then we have the names of the files we need to copy, and finally we have the location we’re copying the files to.

In order to copy files between the Linux user space on your Windows machine and your regular Windows space you need to use /mnt/c/, which tells Linux to copy the files to the primary Windows partition. If you have a D drive, you need to copy to then you’d use /mnt/d/.

Now that the files are copied, close Bash for Windows.

Microsoft

Install your Algo VPN credentials on Windows via PowerShell.

Next, from the desktop tap the Windows key and type Powershell into the Cortana search bar. Select the top option, which should be Windows PowerShell. When the window opens type in cd $home and hit Enter.

Okay, one last step to go. Type the following into PowerShell from your user folder:

powershell -ExecutionPolicy ByPass -File windows_Ian.ps1 Add

Remember to substitute the name of my ps1 file with yours.

Test it out

That’s it! You should be all set up, so let’s test our VPN connection. First, type into Google what is my IP address and make note of the number that Google gives you at the top of the search results page.

Now tap the Wi-Fi or ethernet icon in the lower right of your Windows 10 taskbar, and you should see a new connection named Algo with an IP address. Click that, and you should get a positive connection message within seconds.

Finally, let’s make sure our connection is complete. Go to ipleak.net. Wait and you should see that your IP address has changed. Advanced users can also go to DNSleaktest.com, and select Extended test to check that their DNS servers have also changed.

Congratulations, you’ve made it. You’ve now got your own VPN connection that you can manage without relying on a third-party service. If you also want to use your VPN connection on an Android or iOS device check out Algo’s tutorial docs on Github for information on how to do that.

Latest Videos

Hear from Invictus Games Sydney 2019 CEO, Patrick Kidd OBE and Head of Technology, @James-d-smith -share their insights on how they partnered with Unisys to protect critical data over an open, public WiFi solution.

With so much change all the time, how can executives best prepare their businesses to meet the security challenges of the coming years? CSO Australia, in conjunction with Mimecast, explored this question in an interactive Webinar that looks at how the threat landscape has evolved – and what we can expect in 2019 and beyond.

According to new research conducted by the Ponemon Institute, Australia and New Zealand have the highest levels of data breaches out of the nine countries investigated. This was linked to heavy investment in security detection and an under-investment in security and vulnerability response capabilities

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.